Security audit

Dreamlover Character Skill Generator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local character-skill generator with conditional local memory, but users should understand that generated roleplay skills can retain chat-derived memories in a workspace database.

Install only in workspaces where local file generation and local memory are acceptable. Generated child skills can create .dreamlover-data/memory.sqlite3 containing chat-derived preferences, boundaries, relationship state, summaries, and excerpts; delete that database or isolate the workspace when you want a fresh/no-memory run, and review optional OpenClaw export paths before using them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (14)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 83% confidence
Finding: The description presents the skill as an intake-first character skill generator, but the body also authorizes persistent memory handling, evidence indexing, style extraction, versioning, and optional export behaviors that materially expand its data processing footprint. This mismatch is dangerous because users or reviewers may grant or invoke the skill expecting limited content-generation behavior while it can also collect, persist, route, and summarize user-specific memory, increasing privacy and data-governance risk.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This script persists extracted user profile, relationship, and episodic data into a local database, which materially exceeds the stated skill purpose of intake/skill-distillation for anime/game characters. That mismatch is dangerous because it creates hidden retention of user data and expands the skill into behavioral tracking without clear justification or scope limitation.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code extracts long-term preferences, dislikes, boundaries, stable facts, and relationship labels such as trust, closeness, and dependency from user text, then stores them persistently. This is dangerous because it enables covert profiling of users' emotional state and interpersonal dynamics, which is highly sensitive and not justified by the declared skill context.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The CLI description says memory is committed after a character reply, but the implementation actually parses and stores the user message. This discrepancy is dangerous because it obscures what data is being collected, undermines informed review, and can cause operators or users to misunderstand that their own inputs are being profiled and retained.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: This file implements logic to infer when to read and write persistent user memory, plus database retrieval of relationship, profile, episodic, and summary data. That capability is materially broader than the stated intake-and-skill-packaging purpose, creating a hidden data-retention and profiling surface that could collect or use sensitive personal context without clear necessity.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code fetches persistent relationship state, user preferences, episodic memories, and conversation summaries tied to a user identifier. For a skill described as creating or updating distilled character skills, this is unjustified collection and access to sensitive long-term personal data, enabling profiling or intimate-context persistence beyond user expectations.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: This file implements persistent conversational memory retrieval and decision logic for reading, writing, and summarizing user-specific state, which is materially unrelated to the skill's declared intake/distilled-skill creation purpose. That mismatch is dangerous because it can covertly expand the skill's capabilities to process user memory and relationship data without clear user expectation, review scope, or least-privilege justification.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script opens a persistent memory database, checks relationship state, counts unsummarized episodes, and fetches user/character memory payloads keyed by character_slug and user_id. In the context of a skill whose stated purpose is intake and distilled skill creation, this is an unjustified access path to persistent user data and creates privacy, surveillance, and unauthorized data-use risk if invoked by an agent or wrapper.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The CLI description explicitly states that the script prepares conditional memory context for a character reply, directly contradicting the declared skill purpose. This inconsistency is a strong indicator of capability smuggling or repurposed code, making security review harder and increasing the chance that operators will unknowingly deploy hidden memory-handling behavior.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: This script performs persistent writes by inserting into `conversation_summary` and updating `episodic_memory`, but the skill metadata describes character-skill distillation rather than long-term user memory storage. Hidden or under-disclosed persistence is risky because it can retain user-derived conversation content beyond user expectations, creating privacy, consent, and data-governance exposure.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The file manages episodic and conversation memory for a character/user pair, which is not obviously necessary for a skill focused on canon/persona/style distillation and wrapper export. That mismatch makes the memory collection more dangerous in context: it suggests unnecessary retention of interaction history, increasing privacy risk and the chance of profile building or unintended surveillance-like behavior.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The generated wrappers embed instructions to run local Python memory scripts using interpolated user and assistant message content. In an agent ecosystem, this expands the skill from static content generation into tool-orchestrated execution, increasing the risk of unintended command use, sensitive conversation persistence, and unsafe downstream handling if those runtime scripts are weakly implemented.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script writes user-supplied message content and derived summaries/excerpts into persistent local memory stores without any indication of consent, notice, or sensitivity filtering. This is dangerous because private conversations, boundaries, and emotional disclosures may be silently retained and later reused or exposed through the local datastore.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This function retrieves potentially sensitive memory records from multiple tables, including relationship status, preferences, events, emotions, and summaries, but there is no indication in this file of user-facing disclosure or consent gating. Even if disclosure exists elsewhere, this code path normalizes broad access to intimate data and increases privacy risk if reused or called unexpectedly.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.